[squid-users] mimeInit: /etc/squid/mime.conf: (13) Permission denied

[yashvinder hooda]

Squid log says Permission denied for the file /etc/squid/mime.conf
While permission on it is

-rwxrwxrwx1 nobody   root 11364 May  9 15:40 mime.conf
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Question about patch for CVE-2014-7141 and -7142

[Stacy Yeh]

Hello,

I am attempting to patch the security issues from CVE-2014-7141 and
CVE-2014-7142 for Squid 3.1.23 using the 3.1 patch provided here:
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt

However, I am running into the following error:


/builds/sachi/squid-component/components/squid/squid-3.1.23/src/icmp/Icmp4.cc:
In member function 'virtual void Icmp4::Recv()':

/builds/sachi/squid-component/components/squid/squid-3.1.23/src/icmp/Icmp4.cc:203:9:
error: 'Ip' has not been declared
Ip::Address::FreeAddrInfo(from);
^

/builds/sachi/squid-component/components/squid/squid-3.1.23/src/icmp/Icmp4.cc:261:9:
error: 'Ip' has not been declared
Ip::Address::FreeAddrInfo(from);
^
make[4]: *** [Icmp4.o] Error 1
make[4]: Leaving directory
'/builds/sachi/squid-component/components/squid/build/amd64/src/icmp'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory
'/builds/sachi/squid-component/components/squid/build/amd64/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory
'/builds/sachi/squid-component/components/squid/build/amd64/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory
'/builds/sachi/squid-component/components/squid/build/amd64'
gmake: ***
[/builds/sachi/squid-component/components/squid/build/amd64/.built]
Error 2

Can anyone help me resolve this?

Thank you,
Stacy
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Quick peek-splice clarification

[James Lay]

All,

>From the docs at:

http://wiki.squid-cache.org/Features/SslPeekAndSplice

peek


step1, step2


Receive SNI and client
certificate (step1), or
server certificate
(step2) while preserving
the possibility of
splicing the connection.
Peeking at the server
certificate usually
precludes future bumping
of the connection (see
Limitations). This
action is the focus of
this project.


stare


step1, step2


Receive SNI and client
certificate (step1), or
server certificate
(step2) while preserving
the possibility of
bumping the connection.
Staring at the server
certificate usually
precludes future
splicing of the
connection. Currently,
we are not aware of any
work being done to
support this action.



I see a lot of:

ssl_bump peek all

Does this perform both step1 with SNI and client cert, AND server cert?
Thank you.

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

[snakeeyes]

Amos ,
Do u want me do for you more  debug ??


thankx

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, June 10, 2015 10:28 AM
To: snakeeyes
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

On 11/06/2015 2:50 p.m., snakeeyes wrote:
> 
> Amos , it worked great from other paid proxy Can you help plz ?
> 
> I used proxy186.93.127.34:8080
> 
> And it worked !!
> 
> Can you assit me plz ?
> 

I cant with the data available sorry. You will have to find out what that other 
proxy is doing differently.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cgi-bin

[Marcel Fossua]

Hi Mate 
I have this set on my squid.conf 
but seems that this is obsolete so how can nicely convert that for that
version is true that log suggest 
always_direct 

hierarchy_stoplist cgi-bin ? .js .jsp
acl QUERY urlpath_regex cgi-bin \? .js .jsp
no_cache deny QUERY

2015/06/10 20:53:42| ERROR: Directive 'hierarchy_stoplist' is obsolete.
2015/06/10 20:53:42| hierarchy_stoplist : Remove this line. Use
always_direct or cache_peer_access ACLs instead if you need to prevent
cache_peer use.

just to confirm this is the right way ??
always_direct cgi-bin ? .js .jsp
acl QUERY urlpath_regex cgi-bin \? .js .jsp
no_cache deny QUERY


Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/cgi-bin-tp4671670.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Jonathan Filogna]

i'll glad to sent you those errors

Amos, thank you so much for your attention and participation.

Jonathan
El 10/06/15 a las 16:25, Amos Jeffries escibió:

On 11/06/2015 6:39 a.m., Jonathan Filogna wrote:

Ty Amos.

one more question

if i run apt-get install squid3 on my debian server, i must change some
lines like http_body_reply. But i can conserve my old squid.conf right?


Yes. The squid3 package will currently install a whole separate set of
binaries and directories so your 'squid' install is all still in place
and working. You can copy the old config or not, up to you. If you do,
use "squid3 -k parse" to see what minimally needs changing for it to run.

It happens that I'm working through in the process of making a new squid
package that auto-upgrades from 2.7 to 3.5. So I am interested in
hearing about any ERROR/FATAL messages -k parse produces on your old config.

Amos



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Amos Jeffries]

On 11/06/2015 6:39 a.m., Jonathan Filogna wrote:
> Ty Amos.
> 
> one more question
> 
> if i run apt-get install squid3 on my debian server, i must change some
> lines like http_body_reply. But i can conserve my old squid.conf right?
> 

Yes. The squid3 package will currently install a whole separate set of
binaries and directories so your 'squid' install is all still in place
and working. You can copy the old config or not, up to you. If you do,
use "squid3 -k parse" to see what minimally needs changing for it to run.

It happens that I'm working through in the process of making a new squid
package that auto-upgrades from 2.7 to 3.5. So I am interested in
hearing about any ERROR/FATAL messages -k parse produces on your old config.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidGuard configuration test - echo test [SOLVED]

[Jose Julian Buda]

On 08/06/15 08:10, Helmut Hullen wrote:

Hallo, Amos,

Du meintest am 08.06.15:


Under squid 3.4 (and many earlier versions) I use

 url_rewrite_program /usr/bin/squidGuard

How must I change this line for squid 3.5?



You should not have to change the SG command line or configuration.


Ok!


Whats needed is a patch from
  to be applied to
SGitself. If you are using an OS provided SG binary check to see if
theyhave already patched it.


It's not patched in my version, but it works under squid 3.4.10 -
strange.


The above page mentions

http://www.eu.squid-cache.org/Doc/config/url_rewrite_extras

but  this page doesn't yet exist.


[...]


That should be:



   
and
   


Ok - now I can read the pages!

Viele Gruesse!
Helmut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Thank you all, squidGuard 1.5.4 from Debian's repository, work fine on 
DebianJessie's Squid 3.4,  i've made it work yesterday, and it does it good.
"ERR" from squidGuard means "Do not change the URL", and let squid pass 
the request.


Thank you for your time.

Julian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidGuard configuration test - echo test

[Jose Julian Buda]

On 08/06/15 08:10, Helmut Hullen wrote:

Hallo, Amos,

Du meintest am 08.06.15:


Under squid 3.4 (and many earlier versions) I use

 url_rewrite_program /usr/bin/squidGuard

How must I change this line for squid 3.5?



You should not have to change the SG command line or configuration.


Ok!


Whats needed is a patch from
  to be applied to
SGitself. If you are using an OS provided SG binary check to see if
theyhave already patched it.


It's not patched in my version, but it works under squid 3.4.10 -
strange.


The above page mentions

http://www.eu.squid-cache.org/Doc/config/url_rewrite_extras

but  this page doesn't yet exist.


[...]


That should be:



   
and
   


Ok - now I can read the pages!

Viele Gruesse!
Helmut

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



Thank you all, squidGuard 1.5.4 from Debian's repository, work fine on 
DebianJessie's Squid 3.4,  i've made it work yesterday, and it does it good.
"ERR" from squidGuard means "Do not change the URL", and let squid pass 
the request.


Thank you for your time.

Julian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Jonathan Filogna]

where saids http_body_reply should said reply_body_max_size


i'm so tired right now...i apologize

Jonathan

2015-06-10 15:39 GMT-03:00 Jonathan Filogna :

> Ty Amos.
>
> one more question
>
> if i run apt-get install squid3 on my debian server, i must change some
> lines like http_body_reply. But i can conserve my old squid.conf right?
>
> I meant, how can i upgrade succesfully?
>  should i start the installation from scratch?
> This server's almost on production but this bug is a real pain.
>
> Jonathan.
>
> 2015-06-10 15:02 GMT-03:00 Amos Jeffries :
>
>> On 11/06/2015 5:39 a.m., Jonathan Filogna wrote:
>> > Hi all, it's me  again, just a simple question
>> >
>> > I've configured an squid 2.7 with ntlm auth and i want to let some AD
>> users
>> > to listen spotify
>> >
>> > My problem is that spotify streaming is being blocked by squid to this
>> > group and idk why. Maybe another syntax problem?
>>
>> Some possibilities:
>>
>> * 2.7 has an old bug where CONNECT requests could drop the first few
>> bytes of a connection if they were received in the same packets as the
>> HTTP message itself. Modern uses of port 443 depends on that case working.
>>
>> * NTLM severely violates many requirements of HTTP. The only way for it
>> to have half a chance of working with CONNECT is "auth_param ntlm
>> keep_alive off"
>>
>> * 504 means the connection to upstream timed out. Could be both of the
>> above happening at once. So what should go to the server first didnt get
>> sent, nothing comes back as server waits, then
>>
>>
>> PS. Squid-2.7 and even NTLM are both more than 5 years since they
>> stopped receiving support. Please upgrade. The version difference to 3.5
>> is so great now that it may involve some time/pain but is well worth it.
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> Jonathan Filogna
> It Senior
> Tasso SRL
> 4702 1910
>



-- 
Jonathan Filogna
It Senior
Tasso SRL
4702 1910
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Jonathan Filogna]

Ty Amos.

one more question

if i run apt-get install squid3 on my debian server, i must change some
lines like http_body_reply. But i can conserve my old squid.conf right?

I meant, how can i upgrade succesfully?
 should i start the installation from scratch?
This server's almost on production but this bug is a real pain.

Jonathan.

2015-06-10 15:02 GMT-03:00 Amos Jeffries :

> On 11/06/2015 5:39 a.m., Jonathan Filogna wrote:
> > Hi all, it's me  again, just a simple question
> >
> > I've configured an squid 2.7 with ntlm auth and i want to let some AD
> users
> > to listen spotify
> >
> > My problem is that spotify streaming is being blocked by squid to this
> > group and idk why. Maybe another syntax problem?
>
> Some possibilities:
>
> * 2.7 has an old bug where CONNECT requests could drop the first few
> bytes of a connection if they were received in the same packets as the
> HTTP message itself. Modern uses of port 443 depends on that case working.
>
> * NTLM severely violates many requirements of HTTP. The only way for it
> to have half a chance of working with CONNECT is "auth_param ntlm
> keep_alive off"
>
> * 504 means the connection to upstream timed out. Could be both of the
> above happening at once. So what should go to the server first didnt get
> sent, nothing comes back as server waits, then
>
>
> PS. Squid-2.7 and even NTLM are both more than 5 years since they
> stopped receiving support. Please upgrade. The version difference to 3.5
> is so great now that it may involve some time/pain but is well worth it.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Jonathan Filogna
It Senior
Tasso SRL
4702 1910
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Amos Jeffries]

On 11/06/2015 5:39 a.m., Jonathan Filogna wrote:
> Hi all, it's me  again, just a simple question
> 
> I've configured an squid 2.7 with ntlm auth and i want to let some AD users
> to listen spotify
> 
> My problem is that spotify streaming is being blocked by squid to this
> group and idk why. Maybe another syntax problem?

Some possibilities:

* 2.7 has an old bug where CONNECT requests could drop the first few
bytes of a connection if they were received in the same packets as the
HTTP message itself. Modern uses of port 443 depends on that case working.

* NTLM severely violates many requirements of HTTP. The only way for it
to have half a chance of working with CONNECT is "auth_param ntlm
keep_alive off"

* 504 means the connection to upstream timed out. Could be both of the
above happening at once. So what should go to the server first didnt get
sent, nothing comes back as server waits, then


PS. Squid-2.7 and even NTLM are both more than 5 years since they
stopped receiving support. Please upgrade. The version difference to 3.5
is so great now that it may involve some time/pain but is well worth it.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] spotify blocked by squid

[Jonathan Filogna]

FYI access.log

1433958220.321227 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4370 proxyvipstr DIRECT/127.0.0.1 -
1433958220.421  2 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4371 proxyvipstr DIRECT/127.0.0.1 -
1433958220.595  3 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4372 proxyvipstr DIRECT/127.0.0.1 -
1433958220.664  2 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4373 proxyvipstr DIRECT/127.0.0.1 -
1433958220.795  2 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4374 proxyvipstr DIRECT/127.0.0.1 -
1433958220.812  1 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4375 proxyvipstr DIRECT/127.0.0.1 -
1433958220.824  2 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4376 proxyvipstr DIRECT/127.0.0.1 -
1433958220.838  1 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4377 proxyvipstr DIRECT/127.0.0.1 -
1433958220.853  1 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4378 proxyvipstr DIRECT/127.0.0.1 -
1433958220.877  3 192.168.27.81 TCP_MISS/504 0 CONNECT
wevhbpyvhx.spotilocal.com:4379 proxyvipstr DIRECT/127.0.0.1 -


2015-06-10 14:39 GMT-03:00 Jonathan Filogna :

> Hi all, it's me  again, just a simple question
>
> I've configured an squid 2.7 with ntlm auth and i want to let some AD
> users to listen spotify
>
> My problem is that spotify streaming is being blocked by squid to this
> group and idk why. Maybe another syntax problem?
>
> here's my squid.conf
>
>
> ###SQUID.CONF
>
> visible_hostname prana
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5
> auth_param ntlm keep_alive on
>
>
> external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/
> wbinfo_group.pl
>
>
> acl porno url_regex -i "/etc/squid/listas/porno.lst"
> acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"
> acl directo url_regex -i "/etc/squid/listas/direct.lst"
> acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl useragent browser -i "/etc/squid/blockejec/browser.lst"
> acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"
> acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"
>
> acl all src all
> acl CONNECT method CONNECT
> acl manager proto cache_object
> acl webserver src 192.168.8.121/255.255.255.255
> http_access allow manager webserver
> http_reply_access allow manager webserver
> http_access deny manager
>
> http_access deny porno all
> http_reply_access deny porno all
> acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"
>
> http_access deny blockejec uservipstr
>
> http_access allow uservipstr
> http_reply_access allow uservipstr
>
> http_access deny blockstr !uservipstr all
> http_reply_access deny blockstr !uservipstr all
> http_access deny blockstr2 !uservipstr all
> http_reply_access deny blockstr2 !uservipstr all
> http_access deny audyvid !uservipstr all
> http_access deny vidyaud !uservipstr all
> http_reply_access deny audyvid !uservipstr all
> http_reply_access deny vidyaud !uservipstr all
>
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 78 69 #Spotify
>
>
>
> # Deny requests to unknown ports
> #http_access allow Safe_ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> acl ntlm proxy_auth REQUIRED
> http_access allow ntlm
> http_reply_access allow ntlm
> http_access deny all
> http_reply_access deny all
>
> ###
>
> thank you all
>
> --
> Jonathan Filogna
> It Senior
> Tasso SRL
> 4702 1910
>



-- 
Jonathan Filogna
It Senior
Tasso SRL
4702 1910
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Noticeable difference in DNS Service times after upgrade

[Amos Jeffries]

On 11/06/2015 5:16 a.m., Sebastian Goicochea wrote:
> Hello everyone, I just have a quick question
> Is there any difference in how Squid 3.5 measures DNS Service Time
> compared to 2.7 branch?
> We monitor this value using SNMP and it has been nearly 0 for months,
> but after the upgrade it went up to 6ms (with 8ms peaks)
> All other Service times have varied but apparently they improved
> 
> 
> Here's the graphic: http://imgur.com/4pCK3cY


Not that I know of, but there is both more and less being done.

The "more":

* IPv6 support adds an  lookup.

* CVE-2009-0801 protection for intercepted traffic requires A+
lookup in situations which may previously not done any at all.

* hosts without FQDN may now have a .local variant looked up.

The "less":

* re-sends of HTTP messages no longer perform full lookups on each
outbound connection attempt. Just one set per message now.

* .local domains no longer have any global DNS lookups. multicast-DNS is
used instead.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] spotify blocked by squid

[Jonathan Filogna]

Hi all, it's me  again, just a simple question

I've configured an squid 2.7 with ntlm auth and i want to let some AD users
to listen spotify

My problem is that spotify streaming is being blocked by squid to this
group and idk why. Maybe another syntax problem?

here's my squid.conf


###SQUID.CONF

visible_hostname prana

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5
auth_param ntlm keep_alive on


external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/
wbinfo_group.pl


acl porno url_regex -i "/etc/squid/listas/porno.lst"
acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"
acl directo url_regex -i "/etc/squid/listas/direct.lst"
acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"
acl useragent browser -i "/etc/squid/blockejec/browser.lst"
acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"
acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"
acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"

acl all src all
acl CONNECT method CONNECT
acl manager proto cache_object
acl webserver src 192.168.8.121/255.255.255.255
http_access allow manager webserver
http_reply_access allow manager webserver
http_access deny manager

http_access deny porno all
http_reply_access deny porno all
acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"

http_access deny blockejec uservipstr

http_access allow uservipstr
http_reply_access allow uservipstr

http_access deny blockstr !uservipstr all
http_reply_access deny blockstr !uservipstr all
http_access deny blockstr2 !uservipstr all
http_reply_access deny blockstr2 !uservipstr all
http_access deny audyvid !uservipstr all
http_access deny vidyaud !uservipstr all
http_reply_access deny audyvid !uservipstr all
http_reply_access deny vidyaud !uservipstr all

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 78 69 #Spotify



# Deny requests to unknown ports
#http_access allow Safe_ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

acl ntlm proxy_auth REQUIRED
http_access allow ntlm
http_reply_access allow ntlm
http_access deny all
http_reply_access deny all

###

thank you all

-- 
Jonathan Filogna
It Senior
Tasso SRL
4702 1910
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

[Amos Jeffries]

On 11/06/2015 2:50 p.m., snakeeyes wrote:
> 
> Amos , it worked great from other paid proxy 
> Can you help plz ?
> 
> I used proxy186.93.127.34:8080
> 
> And it worked !!
> 
> Can you assit me plz ?
> 

I cant with the data available sorry. You will have to find out what
that other proxy is doing differently.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] assertion failed: Read.cc:69: "fd_table[conn->fd].halfClosedReader != NULL"

[Michael Pelletier]

OK. I went back to 3.4.13 for prod. I will try upgrading one proxy this
weekend.

On Wed, Jun 10, 2015 at 12:11 PM, Amos Jeffries 
wrote:

> On 10/06/2015 5:24 a.m., Michael Pelletier wrote:
> > Hello,
> >
> > I am getting these errors on 3.5.5 any ideas? Here is my build
> configuration
> >
>
> Please try with the latest 3.5 snapshot. There is a pinning related
> patch there which may help.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

-- 


*Disclaimer: *Under Florida law, e-mail addresses are public records. If 
you do not want your e-mail address released in response to a public 
records request, do not send electronic mail to this entity. Instead, 
contact this office by phone or in writing.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Noticeable difference in DNS Service times after upgrade

[Sebastian Goicochea]

Hello everyone, I just have a quick question
Is there any difference in how Squid 3.5 measures DNS Service Time 
compared to 2.7 branch?
We monitor this value using SNMP and it has been nearly 0 for months, 
but after the upgrade it went up to 6ms (with 8ms peaks)

All other Service times have varied but apparently they improved


Here's the graphic: http://imgur.com/4pCK3cY
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

[snakeeyes]

Amos , it worked great from other paid proxy 
Can you help plz ?

I used proxy  186.93.127.34:8080

And it worked !!

Can you assit me plz ?

Subject: RE: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

Hi Amos thanks for explanation

But the issue is it works fine from other paid proxies .

Again , the app is a link converter and it connect to proxy I will give u 
sample how app works :

It request link as below:
http://convertlink-bla-bla-bla.com/ytd/Youtube.class.php?url=https://www.youtube.com/watch?v=MYSVMgRr6pw&proxy=:


so the xxx: is the proxy ip:port

again   Amos , since its outside squid and it works on other proxies , do u 
think we can do anything on our squid ?

any other ideas??

cheers

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, June 8, 2015 1:31 AM
To: snakeeyes; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TCP_MISS/403 353 HEAD text/plain Error help !!

On 8/06/2015 5:36 a.m., snakeeyes wrote:
> Hi Amos thank you so much
> Again , this App IS REMOTE and as a black box .
> It works 100  % on other proxies but I need to let it work on my own proxy.
> 
> Now what I did is :
> I added 2  directives to my squid.conf :
> 
> strip_query_terms off
> debug_options 11,2 28,3
> 
> 
> then restarted squid and monitored the logs .
> 
> again I have 2 files monitored when it worked and when it failed.
> 
> But the strange that the problem is it work on some youtube vidoes and 
> don’t work on the others
> 
> those files were just as an example :
> file 1 didn’t work and give error 403 ===> 
> https://www.youtube.com/watch?v=MYSVMgRr6pw
> 
> and other file worked ===>
> https://www.youtube.com/watch?v=p0g9_osImd0
> 
> now I will test the app with those links , note that that 1sst line will fail 
> and  the 2nd Link will success.
> 
> I had graped the log files andf attached them because they are big 
> Name for failed file is =>debug_failed.txt Name for succeded file 
> ==>debug_worked.txt
> 
> Thanks a lot
> 
> cheers

Your Squid is letting all of both types of traffic through, and it appears not 
to be caching the results.

That is good in a way. It means the problem is clearly something between the 
browser and Google servers, not Squid.

I can see several differences between the client requests. The working ones 
have a line or so more query parameters than the forbidden ones.
They are also consistently going to a different server (working *.12 , failing 
*.14).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Installing certificate on Andriod to use with SSL-bump

[tolga . cengiz]

2015-06-10 19:28, James Lay yazmış:

On 2015-06-10 10:22 AM, Amos Jeffries wrote:

On 10/06/2015 4:46 p.m., dkandle wrote:
I would like to be able to inspect traffic from my android device. I 
have a
transparent squid proxy working with SSL bump (using WiFi to get 
traffic
through my proxy server). Everything works fine as long as I go 
through a
browser. But I would like to see the other traffic which the OS and 
other
apps are sending. Squid uses a certificate I generated for the web 
sites and

I create an exception for those without issue.
If I install my certificate on the phone will it then accept the 
certificate

when squid returns it during the ssl setup?


Maybe.


To be clear, I see the phone use
port 443 to setup a secure session. However it rejects the 
certificate (as
it should) and terminates the session with no data being passed. I 
can

install my certificate on the phone, but will the android OS use that
certificate for all services or only for browser sessions?


Maybe.


If not, is there
some other way I can get my fake certificate accepted for all 
sessions for

which it is used?


Only by adding the CA cert your Squid signs with to the OS certificate
set. Whether it is actually used from there is application specific 
and

none of us have control over that.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


What kinda device?  I've put my ca cert on a couple Android
devices...ranging from just email the cert and import all the way to
cracking open a certificate .db file and inserting.

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Installing certificate on Andriod to use with SSL-bump

[James Lay]

On 2015-06-10 10:22 AM, Amos Jeffries wrote:

On 10/06/2015 4:46 p.m., dkandle wrote:
I would like to be able to inspect traffic from my android device. I 
have a
transparent squid proxy working with SSL bump (using WiFi to get 
traffic
through my proxy server). Everything works fine as long as I go 
through a
browser. But I would like to see the other traffic which the OS and 
other
apps are sending. Squid uses a certificate I generated for the web 
sites and

I create an exception for those without issue.
If I install my certificate on the phone will it then accept the 
certificate

when squid returns it during the ssl setup?


Maybe.


To be clear, I see the phone use
port 443 to setup a secure session. However it rejects the certificate 
(as

it should) and terminates the session with no data being passed. I can
install my certificate on the phone, but will the android OS use that
certificate for all services or only for browser sessions?


Maybe.


If not, is there
some other way I can get my fake certificate accepted for all sessions 
for

which it is used?


Only by adding the CA cert your Squid signs with to the OS certificate
set. Whether it is actually used from there is application specific and
none of us have control over that.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


What kinda device?  I've put my ca cert on a couple Android 
devices...ranging from just email the cert and import all the way to 
cracking open a certificate .db file and inserting.


James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Installing certificate on Andriod to use with SSL-bump

[Amos Jeffries]

On 10/06/2015 4:46 p.m., dkandle wrote:
> I would like to be able to inspect traffic from my android device. I have a
> transparent squid proxy working with SSL bump (using WiFi to get traffic
> through my proxy server). Everything works fine as long as I go through a
> browser. But I would like to see the other traffic which the OS and other
> apps are sending. Squid uses a certificate I generated for the web sites and
> I create an exception for those without issue.
> If I install my certificate on the phone will it then accept the certificate
> when squid returns it during the ssl setup?

Maybe.

> To be clear, I see the phone use
> port 443 to setup a secure session. However it rejects the certificate (as
> it should) and terminates the session with no data being passed. I can
> install my certificate on the phone, but will the android OS use that
> certificate for all services or only for browser sessions?

Maybe.

> If not, is there
> some other way I can get my fake certificate accepted for all sessions for
> which it is used?

Only by adding the CA cert your Squid signs with to the OS certificate
set. Whether it is actually used from there is application specific and
none of us have control over that.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] assertion failed: Read.cc:69: "fd_table[conn->fd].halfClosedReader != NULL"

[Amos Jeffries]

On 10/06/2015 5:24 a.m., Michael Pelletier wrote:
> Hello,
> 
> I am getting these errors on 3.5.5 any ideas? Here is my build configuration
> 

Please try with the latest 3.5 snapshot. There is a pinning related
patch there which may help.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Migration from squid 3.1.20 to 3.4.8

[Amos Jeffries]

On 10/06/2015 9:39 p.m., Diercks, Frank (VRZ Koblenz) wrote:
> Hallo squid-users,
> 
> i migrated our Proxy from 3.1.20 to 3.4.8. Here are the changes I made:
> 
> I commented out:
> #acl manager proto cache_object
> #acl localhost src 127.0.0.1/32 ::1
> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> And added the following entry:
> http_port xxx.xxx.xxx.xxx.:3129 intercept (port 3128 was already without 
> "intercept" configured).
> 
> Everything runs well, except an application which sends data via html to our 
> internetserver.
> 
> The first entry is from squid 3.1.20, which runs without problems:
> . .. TCP_MISS/200 317 POST http://xxx.xxx.xxx.xxx/SWIS-Web/TLSReceiver - 
> DIRECT/xxx.xxx.xxx.xxx -
> 
> The second entry is from squid 3.4.8:
> ... TAG_NONE/400 3585 POST /SWIS-Web/TLSReceiver - HIER_NONE/- text/html
> 
> As you can see, squid 3.4.8 doesn't log the http-part. I have no idea why. 
> The entries from cache.log and access.log are clean.
> Every hint is welcome.

Looks like it is being intercepted. But does it contain a Host: header?

Try "debug_options 11,2" to see in cache.log what the messages are.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Migration from squid 3.1.20 to 3.4.8

[Leonardo Rodrigues]

On 10/06/15 06:39, Diercks, Frank (VRZ Koblenz) wrote:


Hallo squid-users,

i migrated our Proxy from 3.1.20 to 3.4.8. Here are the changes I made:




why going to 3.4 if it's already 'old' code ? Why not going 
straight to 3.5 which is the current release ?



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid, Gmail.com and HSTS.

[Michael Monette]

Sorry for the noise - I figured it out. 

HTTPS was completely dead which made me wonder if squid was working properly. 
It turns out I had some folder permission issues. I needed to chmod -R 777 
/var/lib/ssl_db. I guess lack of permissions to that directory caused cert 
generation to fail and HTTPS to break..Thanks for reading

- Original Message -
From: "Michael Monette" 
To: "Amos Jeffries" 
Cc: "squid-users" 
Sent: Wednesday, June 10, 2015 10:25:21 AM
Subject: Re: [squid-users] Squid, Gmail.com and HSTS.

Hi again,

I finally had some time to get back into this, been a busy couple weeks. I 
compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and 
now things seem to be working better with ssl::servername. But for some reason 
I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is 
getting their certificate from the real sites and I don't really know why 
because it's the same config as before.

Here's a small capture of the logs:

1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET 
http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html
1433945978.918306 10.117.67.157 TCP_MISS/302 658 GET 
http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 -
1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET 
http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945979.972   1068 10.117.67.157 TCP_MISS/204 719 GET 
http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945982.006100 10.117.67.157 TCP_MISS/200 546 GET 
http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 
text/html
1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET 
http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 
text/html


All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem 
when I had been working on this a couple weeks and I was able to get myself out 
of it by messing with the bump steps, but I can't seem to figure it out this 
time(or I just can't remember). Hoping for some guidance or hints.

Here's my log again:

# cat /etc/squid/squid.conf
~
debug_options ALL,9

acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump bump step2 all
ssl_bump bump step3 all

acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com
#acl bl1 url_regex -i ^http(s)?://gmail.com
#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.*
#acl bl3 url_regex -i ^http(s)?://moz.com.*
#acl bl4 url_regex -i moz.com
deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the 
acl is not even picked up, this stuff is useless.
http_reply_access deny bl1 # useless
#http_access deny bl1 
#http_access deny bl1 CONNECT

http_access allow localnet
http_access allow localhost

http_access allow all

http_port 3128 accel vhost allow-direct

#https_port 3129 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem 
key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
https_port 3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem 
key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslproxy_options NO_SSLv2
sslproxy_options NO_SSLv3

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 id

Re: [squid-users] Squid, Gmail.com and HSTS.

[Michael Monette]

Hi again,

I finally had some time to get back into this, been a busy couple weeks. I 
compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and 
now things seem to be working better with ssl::servername. But for some reason 
I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is 
getting their certificate from the real sites and I don't really know why 
because it's the same config as before.

Here's a small capture of the logs:

1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET 
http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html
1433945978.918306 10.117.67.157 TCP_MISS/302 658 GET 
http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 -
1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET 
http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945979.972   1068 10.117.67.157 TCP_MISS/204 719 GET 
http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - 
ORIGINAL_DST/104.236.7.74 -
1433945982.006100 10.117.67.157 TCP_MISS/200 546 GET 
http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 
text/html
1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET 
http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 
text/html


All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem 
when I had been working on this a couple weeks and I was able to get myself out 
of it by messing with the bump steps, but I can't seem to figure it out this 
time(or I just can't remember). Hoping for some guidance or hints.

Here's my log again:

# cat /etc/squid/squid.conf
~
debug_options ALL,9

acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump bump step2 all
ssl_bump bump step3 all

acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com
#acl bl1 url_regex -i ^http(s)?://gmail.com
#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.*
#acl bl3 url_regex -i ^http(s)?://moz.com.*
#acl bl4 url_regex -i moz.com
deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the 
acl is not even picked up, this stuff is useless.
http_reply_access deny bl1 # useless
#http_access deny bl1 
#http_access deny bl1 CONNECT

http_access allow localnet
http_access allow localhost

http_access allow all

http_port 3128 accel vhost allow-direct

#https_port 3129 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem 
key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
https_port 3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem 
key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslproxy_options NO_SSLv2
sslproxy_options NO_SSLv3

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

#cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320


- Original Message -
From: "Amos Jeffries" 
To: "Michael Monette" 
Cc: "squid-users" 
Sent: Wednesday, May 27, 2015 7:14:57 PM
Subject: Re: [squid-users] Squid, Gmail.com and HSTS.

On 28/05/2015 

Re: [squid-users] ssl_crtd breaks after short time

[James Lay]

On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote:

> Amos Jeffries wrote on 2015-06-09 17:10:
> [CUT]
> > You have to first configure ssl_bump in a way that lets Squid receive
> > the clientHello message (step1 -> peek) AND the serverHello message
> > (step2 -> peek). Then you can use those cert details to bump (step3 ->
> > bump).
> > The config is quite simple:
> >   ssl_bump peek all
> >   ssl_bump bump all
> > 
> I have this:
> ssl_bump peek step1 broken
> ssl_bump peek step2 broken
> ssl_bump splice broken
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> ssl_bump bump all
> 
> > 
> > But there are cases like the client is resuming a previous TLS session
> > where there is no certificates involved. Squid cannot do anything, so it
> > automatically splices (3.5.4+ at least do). Or if you have configured
> > your Squid in a way that there are no mutually supported ciphers.
> > 
> 
> My client is curl.. I don't think that its caching any TLS sessions.
> 
> > 
> > It may just be your ssl_bump rules. But given that this is a google
> > domain there is a strong chance that you are encountering one of those
> > special case.
> >
> I'd like squid to disallow queries where it cannot see what domain name
> / url is going to be accessed.
> 
> I'd like all GET/POST etc. requests to go through squid - so they are
> controlled by the normal http_access rules as http (intercepted) is
> currently.
> 
> This worked with 3.4.12 :( (but only for 30 minutes or less)
> 
> You saw my full config.. how is it supposed to look with 3.5.5, for this
> to work as it did with 3.4.12 ?
> 
> sorry I'm a bit frustrated.. I can't seem to grasp what changed from
> 3.4.12 to 3.5.5, which means I suddenly can't filter https traffic
> anymore :(
> 


Gents,

I'm going to spin this off into a new thread..."Filtering http and https
traffic" sometime later today.  I have some questions, and maybe
solutions.

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Migration from squid 3.1.20 to 3.4.8

[Diercks, Frank (VRZ Koblenz)]

Hallo squid-users,

i migrated our Proxy from 3.1.20 to 3.4.8. Here are the changes I made:

I commented out:
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

And added the following entry:
http_port xxx.xxx.xxx.xxx.:3129 intercept (port 3128 was already without 
"intercept" configured).

Everything runs well, except an application which sends data via html to our 
internetserver.

The first entry is from squid 3.1.20, which runs without problems:
. .. TCP_MISS/200 317 POST http://xxx.xxx.xxx.xxx/SWIS-Web/TLSReceiver - 
DIRECT/xxx.xxx.xxx.xxx -

The second entry is from squid 3.4.8:
... TAG_NONE/400 3585 POST /SWIS-Web/TLSReceiver - HIER_NONE/- text/html

As you can see, squid 3.4.8 doesn't log the http-part. I have no idea why. The 
entries from cache.log and access.log are clean.
Every hint is welcome.

Regards
Frank
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users